Please find our statement on security in this document: https://www.openproject.org/docs/security-and-privacy/statement-on-security/
Security: opf/openproject
Security
SECURITY.md
-
Insecure Direct Object Reference in Project Storage Administrition Theft & Pre-Auth Remote Folder DeletionGHSA-v8cr-7x8f-78mq published
Feb 26, 2026 by klaustopherCritical -
Missing boundary check allows users with Manage Agenda Items permission in one project to create Agenda Items in Meetings in other projectsGHSA-c76v-8735-35hq published
Feb 26, 2026 by klaustopherModerate -
Authorization bypass via MCP endpointGHSA-w9w6-f59w-89vj published
Feb 26, 2026 by klaustopherModerate -
IDOR on OpenProject via PUT /work_packages/[workPackageId]/activities/[activityId]/toggle_reaction allows reader user to read internal commentsGHSA-3qgp-q2x5-c4jw published
Feb 26, 2026 by klaustopherModerate -
Improper Authentication on OpenProject through /oauth/authorize via GET parameter "redirect_uri" when using mobile OAuth appGHSA-w92f-h4wh-g4w4 published
Feb 26, 2026 by klaustopherHigh -
IDOR on OpenProject allows any user to overwrite any sprint/version titleGHSA-p3hw-5g6p-69f2 published
Feb 26, 2026 by klaustopherModerate -
IDOR on backlog stories allows leaking of work package subjectGHSA-xfmm-g339-3x85 published
Feb 26, 2026 by klaustopherModerate -
Information disclosure on OpenProject through /api/v3/custom_fields/{id}/itemsGHSA-qpg6-635j-wjc2 published
Feb 26, 2026 by klaustopherModerate -
IDOR on OpenProject through /meetings/{meeting_id}/agenda_items/{id}/move_to_section via POST requestGHSA-xw8w-4qxm-g9gv published
Feb 26, 2026 by klaustopherModerate -
Stored HTML Injection via MentionFilter Bypass Leads to Credential Harvesting in Email NotificationsGHSA-cxm3-9m5g-9cq4 published
Feb 26, 2026 by klaustopherLow
Learn more about advisories related to opf/openproject in the GitHub Advisory Database